Let’s take a look at a real-world scenario that I ran into a few weeks ago with a family friend. For the sake of this story, let’s call him Bob. Bob lost access to a pretty important online account.
Bob had mentioned that he wasn’t able to log in to his Facebook account anymore and was wondering if I could help him. Bob is a pretty savvy guy. He’s been using computers for decades for his job in sales and for running his own business. His kids got him a new tablet for Christmas - a Surface, which runs Windows 10 because his kids knew he’d be comfortable with it, and most importantly, these are the last days of Windows 7 and if you haven't upgraded to Windows 10, you're putting your business at risk for data breaches. Ask yourself, particularly if you have to be HIPAA compliant and still using Windows 7, can your business afford to pay $10,000 a day?
Bob got his new tablet, ran through the setup process, and tried logging into Facebook, only to not remember his password. He’s been used to his Facebook account remaining logged in on his computer for so long that he couldn’t remember the password. No big deal.
This is where he was at when he asked for my help, so I said sure thing.
I asked Bob if he had tried clicking the “Forgot account?” link when trying to log in. That gives you a few options to reset your password. Facebook made him go through and prove that it was him - he had to look at some pictures of contacts and match them with their names. Since some of his Facebook friends didn’t use photos of themselves but instead had pictures of their kids, this was a bit of a challenge for Bob. He had gone through the process but never received an email, so he figured he was stuck.
I walked him through this and, according to Facebook, we gave enough correct answers to generate the password reset email. We logged into Bob’s Gmail account, but that email didn’t show up. That’s when we determined that his Facebook account was tied to Bob’s old Hotmail email account.
I said, “Alright Bob, let’s just log into that Hotmail account, the email should be there.”
Bob replied, “I’m not sure I know the password for that either, usually I’m just logged in on my work computer.”
This makes the situation a little trickier. Fortunately, Hotmail (which now redirects to Microsoft’s online Outlook email service) has its own ways to get back in, provided that the information on the account is up-to-date. I was able to get an automated phone call from Microsoft because Bob’s home phone number was on the account.
Microsoft gave me a 6-digit security code and I was able to reset Bob’s Hotmail email, get to the Facebook reset password email, and reset his Facebook password.
I then helped Bob go into his Facebook account and add his Gmail account as an alternative email. You can do so by going to your Settings > General > Contact and clicking Add another email or mobile number.
Crisis averted, and Bob was grateful! Unfortunately, that’s when I realized that Bob had bigger problems.
Before closing everything and passing the tablet back to Bob, I noticed that his Hotmail account had emails from his bank and his domain registrar (Bob owned a few domains for some local properties that he manages and one for a veterans site he is a part of).
I said, “Hey Bob, it’s really a good thing we got you access again to your Hotmail account - it’s tied to your bank and some other important stuff!”
I was pretty shocked and concerned for Bob, but he shrugged and said something along the lines of, “Well, that’s why I have you.”
I was flattered of course, but later that evening, Bob and I sat down at a desktop and went through everything together to secure his accounts. If he had not been so lucky to gain access to that old Hotmail account, or if he somehow got logged out from his work computer, he would have had a hard time getting back into his bank account or his domain registrar.
We scoured through Bob’s Hotmail to find any online service that was tied to it. Essentially anything he was using or purposely subscribed to. We found that his cable subscription, Netflix, his bank, his domain registrar, and a few other accounts were all tied to the Hotmail account.
Bob decided he would rather use his Gmail account for everything, so we took our time and logged into each account, and changed the emails, and while we were at it, we reset the passwords (Bob used the same password on multiple accounts pretty often). A password manager would make remembering passwords easier, reducing the need for Bob to use the same password because he could remember it. For example, if you like being part of Google's ecosystem, Chrome's password manager makes password security a breeze!
We also set up 2FA or two-step verification on all of the accounts possible, including his Hotmail and Gmail accounts. We made sure each account had his updated address and home phone number, as well as his cell number. One goal you should give yourself for 2020 is to Start Using Two-Factor Authentication Everywhere, Today!
Instead of using Chrome to remember all of these new passwords, we set up a LastPass account, which is one of many password managers. For a single home user, LastPass works great. For small businesses looking to manage their passwords, give KT Connections a call at 605-341-3873 to talk about solutions geared for businesses.
We plugged everything into LastPass and set it up on both his desktop and his new tablet. Now Bob can have unique, complex passwords on all of his accounts and not need to remember them or store them on sticky-notes.
It took a few hours, but together we totally cleaned up Bob’s online accounts and made sense of everything, AND we secured everything with strong passwords and 2FA. This is something everyone should do once a year.
In short, here’s a punch list of what we did, so you can repeat it for yourself.
Expect to spend a few hours doing this, especially if you haven’t done it at all over the years. When you are all done though, you’ll be in good shape and never run into an issue where you can’t access something important. Finally, after your password audit, it's time for a network audit, which is always a good idea. For more information about the IT services we can offer your organization, reach out to us at 605-341-3873.